Overview

overview

10

Static

static

10

764b2530d5...KI.exe

windows7-x64

10

764b2530d5...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    764b2530d5d53eb19a16030f1acbc810_NEIKI.exe

  • Size

    442KB

  • MD5

    764b2530d5d53eb19a16030f1acbc810

  • SHA1

    97b8e007ccde836487648b4f9ad0b031fd92e1d4

  • SHA256

    8883fe5419b8e9a2c69f780814b186b7e95a54234d3ae3cdf1f520191c6a17a3

  • SHA512

    27521a928b2e51aae18417896a976b9a0e41e2a98d6633ee3fa3f2ddf1436532b804d4971d5975fffd318f7a7313627ab0630db2aa3e92c461efc1c3306d8d33

  • SSDEEP

    6144:r/o4H3gaDLFHlB7goSsj/ZQUWvYqDUbsbX6EdK77RXW7VGwrLO8O77v:rgA3gaDdAoSOWUWvXbX5g7pW7JM

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.182

112.223.217.101

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\764b2530d5d53eb19a16030f1acbc810_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\764b2530d5d53eb19a16030f1acbc810_NEIKI.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Executes dropped EXE
      PID:900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
      2⤵
        PID:4524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
      Filesize

      289B

      MD5

      b776fea7db8d2df9fbe3ce9dda27d189

      SHA1

      5eeb498091fc207fb7b8e1fc665e16a6ea794483

      SHA256

      da2dec127a84ad570195a94122be733cb26b9294a649ea2cfeac52af29443bcd

      SHA512

      340254ef283299a069c99b67699c27e0016d48e13b11e4072cc7467044ed34189e0f2e9474e6364ab10d811c59025724c0f894376b7608c043ad92eb74b12ab2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      478fec1df0aef79beb699928cb2787fa

      SHA1

      dfff00b9eceaebff908ca9681320d4c770f14814

      SHA256

      c186c06d9bed7785981b05d4c474afd33a83f9ef0e8f5a558505a44af519ec30

      SHA512

      9875eb579e6ab7d8595be86eb53bb8aec6b6d09af4f96742aea1dbcf21fda7e1b7bb561ad5bdbc560472d94e76eca975e33d8ca9ae6e30d1261b86dbb511cf6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      Filesize

      442KB

      MD5

      0e4fb3811ce3d7ad53b1ac064c9ead24

      SHA1

      ba750aba5e02df8db37e589dcca0dad490533ea3

      SHA256

      341613941127bbd2ae2a0f15316e1ab0456c473dbe504279d82dd9efef6e18a8

      SHA512

      c9ea0b2652f1402eb61763fb05034a3aa902e9c6a12143c04cfeb88579f4010507bab511d6fda612d1f2593711a38e9f7c0a71d31e2d987d38261cd68762f8c4

      Download Submit

    • memory/400-0-0x00000000009A0000-0x0000000000A3E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/400-14-0x00000000009A0000-0x0000000000A3E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/900-10-0x0000000000980000-0x0000000000A1E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/900-17-0x0000000000980000-0x0000000000A1E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/900-18-0x0000000000980000-0x0000000000A1E000-memory.dmp

      Filesize

      632KB

      Download